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Description 

FIELD OF THE INVENTION 

[0001] The present invention relates generally to vir- 
tual Private Networks (VPNs) and, more particularly, to 
a technique for implementing resource allocation for im- 
plementing VPN services using an auto-discovery proc- 
ess for configuring one or more Layer-2 and Layer-3 
VPNs. 

BACKGROUND OF THE INVENTION 

[0002] In the absence of a privacy mechanism, sensi- 
tive data (e.g., passwords, account numbers, proprietary 
information, etc.) transmitted over a network may be sus- 
ceptible to interception by unauthorized parties. One pri- 
vacy mechanism commonly used to protect networkdata 
is the Virtual Private Network (VPN). Using specialized 
tunneling protocols and optionally secure encryption 
techniques, data integrity and privacy may be maintained 
in a VPN in what seems like a dedicated point-to-point 
connection. 

[0003] Network-based VPNs typically are implement- 
ed through a tunneling mechanism. In general, the tun- 
neling mechanism encapsulates the packet headers 
and/or payload prior to transmission of the packet over 
an established VPN tunnel. As a result, the transmission 
of a VPN-based packet only uses non-tunneling informa- 
tion, such as the Internet Protocol (IP) addresses of the 
ends of the tunnels, while the sensitive information, such 
as the source and destination I P addresses and sensitive 
payload data, remains encapsulated. Exemplary tun- 
neling mechanisms include IP/IP tunneling, Generic 
Router Encapsulation (GRE) tunneling, IP Security 
(IPSec) tunneling and Multi-Protocol Label Switching 
(MPLS) tunneling. The configuration of VPN tunnel typ- 
ically is specific to the particular type of VPN used. 
[0004] A typical Network IP-based VPN generally in- 
cludes at least two provider edge (PE) devices (e.g., a 
VPN-enabled router) interconnected via a series of pro- 
vider devices (e.g., routers) that form a network back- 
bone, where the network backbone typically includes one 
or more public networks, such as, for example, the Inter- 
net or a wide area network (WAN). Connected to each 
PE device are one or more customer edge (CE) devices, 
such as a workstation or personal computer. In this type 
of network-based VPN, VPN tunnels are established be- 
tween PE devices, rather than between CE devices. 
These tunnels, herein referred to as PE-PE tunnels, typ- 
ically are established at either Layer-2 or Layer-3 of the 
International Standard Organization's Open System In- 
terconnect (ISO/OSI) network model. Exemplary VPN 
mechanisms at Layer-2 include Virtual Private LAN Serv- 
ice (VPLS) (see Waldemar Augustyn et al., "Require- 
ments for Virtual Private LAN Services (VPLS)," October 
2002, available at <http://www.ietf.org/internet-drafts/ 
draft-ietf-ppvpn-vpls-requirement-01 .txt>) and Virtual 



Private Wire (VPW)(see Eric Rosen et al., "L2VPN 
Framework," February 2003, available at <http: 
//www. ietf.org/internet-drafts/draft-ietf-ppvpn-12-frame- 
work-03.txt>). Exemplary VPN mechanisms at Layer-3 

5 include Virtual Routing (VR)-based mechanisms, such 
as VR using Border Gateway Protocol (EGP) (see Hamid 
Ould-Brahim et al. "Network based IP VPN Architecture 
using Virtual Routers," July 2002, available at <http: 
//www. ietf.org/ internet- drafts/ draft- ietf- ppvpn- vpn- vr- 

10 03.txt>) or VPNs based on RFC 2547bis (often referred 
to as BGP/MLPS-based VPNs) (see Eric Rosen et al., 
"BGP/MPLS VPNs" available at <http://www.ietf.org/in- 
ternet-drafts/draft-ietf-ppvpn-rfc2547bis-03.txt>, Octo- 
ber 2002). 

15 [0005] Regardless of the VPN mechanism used, a pri- 
mary step in establishing a network-based VPN is to pro- 
vide information about each VPN configured on a local 
PE device to the remaining remote PE devices. A number 
of mechanisms may be implemented to achieve this dis- 

20 tribution of PE information, such as BGP, Domain Name 
Service (DNS), Remote Authentication Dial In User Serv- 
ice (RADIUS), and the like. Such mechanisms are well 
known in the art. After distributing this PE information, 
one or more PE-PE tunnels typically are established 

25 based in part on information received through a VPN au- 
to-discovery mechanism. 

[0006] Various tunnel signalling protocols may be used 
to establish and maintain VPN tunnels, such as, for ex- 
ample, Resource Reservation Protocol (RSVP), Re- 

30 source Reservation Protocol - Traffic Engineered 
(RSVP-TE), Label Distribution Protocol (LDP), Con- 
straint-based Routing LDP (CR-LDP), Asynchronous 
Transfer Mode (ATM), Frame Relay, Generic Routing 
Encapsulation (GRE), IPSec, and the like. 

35 [0007] Various parameters for VPN tunnels in conven- 
tional Layer-2 and Layer-3 VPNs typically are configured 
manually by the service provider. As a result, the scala- 
bility of such conventional VPN implementations is limit- 
ed due to the difficulty in manually configuring a complex 

"^0 and dynamic VPN system having a large number of PE 
devices and/or constantly changing system require- 
ments, such as a continuous changing number of tun- 
nels/VPNs, constant, continuous changes in resources 
such as bandwidth, delay and/or Quality of Service (QoS) 

45 requirements, and the like. Further, these conventional 
VPN implementations generally lack a defined mecha- 
nism to relate VPN tunnels to a per VPN or per set of 
VPNs resources such as QoS profiles or other tunnel- 
specific parameters. As a result, the flexibility of such 

50 conventional VPN systems is compromised because the 
VPN is unable to predictably respond to changes in band- 
width requirements, QoS requirements, and the like. 
[0008] In view of the foregoing, it would be desirable 
to provide a technique for facilitating the configuration of 

55 VPN tunnels based at least in part on supplied parame- 
ters in an auto-discovery manner. More particularly, it 
would be desirable to implement resource profiles such 
as Quality of Service (QoS) parameters using a VPN au- 
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to-discovery as an extension to existing auto -discovery 
mechanisms in an efficient and cost effective manner. 

SUMMARY OF THE INVENTION 

[0009] In accordance witli one aspect of tine present 
invention, a metliodforestablisliing a Virtual Private Net- 
work (VPN) tunnel between a first provider edge (PE) 
device and a second (PE) device of a Provider- Provi- 
sioned VPN (PPVPN) is provided. The method compris- 
es advertising at least one tunnel-based parameter to 
one or more PE devices over a network backbone using 
an auto-discovery mechanism, the one or more PE de- 
vices including at least one of the first and second PE 
devices and configuring a VPN tunnel between the first 
and second PE devices based at least in part on the at 
least one tunnel-based parameter. A computer signal 
embodied in a carrier wave readable by a computing sys- 
tem and encoding a computer program of instructions for 
executing a computer process may be used to perform 
the above method. The invention also provides at least 
one readable carrier for storing a computer program of 
instructions configured to be readable by at least one 
processor for instructing the at least one processor to 
execute a computer process for performing the above 
method. 

[0010] A Provider-Provisioned Virtual Private Network 
(PPVPN) system is provided in accordance with another 
aspect of the present invention. The system comprises 
auto-discovery means for distributing at least one Virtual 
Private Network (VPN) tunnel-based parameter to at 
least a first and second provider edge (PE) devices and 
tunnel signalling means for configuring a VPN tunnel over 
a network backbone between the first and second PE 
devices based at least in part on the at least one tunnel- 
based parameter. 

[0011] The present invention will now be described in 
more detail with reference to exemplary embodiments 
thereof as shown in the appended drawings. While the 
present invention is described below with reference to 
preferred embodiments, it should be understood that the 
present invention is not limited thereto. Those of ordinary 
skill in the art having access to the teachings herein will 
recognize additional implementations, modifications, 
and embodiments, as well as other fields of use, which 
are within the scope of the present invention as disclosed 
and claimed herein, and with respect to which the present 
invention could be of significant utility. 
[001 2] In order to facilitate a fuller understanding of the 
present invention, reference is now made to the append- 
ed drawings. These drawings should not be construed 
as limiting the present invention, but are intended to be 
exemplary only. 

Figure 1 is a schematic diagram illustrating a Pro- 
vider-Provisioned Virtual Private Network (PPVPN) 
system utilizing a VPN auto-discovery mechanism 
in accordance with at least one embodiment of the 



present invention. 

Figure 2 is a flow diagram illustrating an overview of 
a VPN auto-discovery mechanism for establishing 
and/or maintaining a provider-edge-to-provider- 

5 edge (PE-PE) tunnel in accordance with at least one 

embodiment of the present invention. 
Figure 3 is a flow diagram illustrating an exemplary 
implementation of the VPN auto-discovery mecha- 
nism of Figure 2 in a RFC 2547bis-based VPN in 

10 accordance with at least one embodiment of the 
present invention. 

Figure 4 is a flow diagram illustrating an exemplary 
implementation of the VPN auto-discovery mecha- 
nism of Figure 2 in a Virtual Routing-based VPN in 
^5 accordance with at least one embodiment of the 
present invention. 

Figure 5 is a flow diagram illustrating an exemplary 
implementation of the VPN auto-discovery mecha- 
nism of Figure 2 in a Layer-2 VPN using a Virtual 
20 Private Local Area Network Service (VPLS)-based 
or VPW-based mechanism in accordance with at 
least one embodiment of the present invention. 

DETAILED DESCRIPTION OF EXEMPLARY EMBOD- 
25 IMENT(S) 

[0013] Figures 1-5 illustrate various exemplary imple- 
mentations for creating scalable VPN PE-PE tunnels in 
Level-2 or Level-2 PPVPNs using an auto-discovery 

30 mechanism. Information regarding the establishment 
and/or configuration of a tunnel between two PE devices 
may be advertised among the PE devices of a network. 
This information may include, for example, the desired 
tunnel signalling protocol, the Quality of Service (QoS) 

35 profile for the tunnel, the PE tunnel endpoint, member- 
ship information, the VPN technology to be used, etc. In 
at least one embodiment, this information may be adver- 
tised as an extension to a conventional auto-discovery 
mechanism commonly used in VPNs, such as the Border 

"^0 Gateway Protocol (BGP), directory service protocols 
(e.g.. Domain Name Service (DNS), RADIUS), and the 
like. After distributing this information, a tunnel may be 
established between the appropriate PE devices based 
at least in part on the supplied information. Alternatively, 

^5 the PEs may select an existing tunnel that complies with 
some or all of the supplied parameters. By implementing 
an auto-discovery technique to distribute the QoS profile 
for the purpose of VPN tunnel configuration and/or es- 
tablishment information, the scalability of the VPN sys- 

50 tem may be enhanced because the QoS profile of a tun- 
nel may be set according to the requirements of the VPN 
services, where the information is distributed among the 
PEs in an automated fashion rather than implemented 
by manual configuration as conventional VPN systems. 

55 [0014] Referring now to Figure 1, an exemplary 
PPVPN system 100 implementing a cap ability discovery 
mechanism is illustrated in accordance with at least one 
embodiment of the present invention. In the illustrated 
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example, the PPVPN system 100 includes RE routers 
102, 104 connected via a network backbone 106. Al- 
tliougli described lierein as VPN-enabled routers, tine RE 
routers 102, 104 may include other appropriate RE de- 
vices such as, for example, MRLS/IR Layer-2 switches. 
The network backbone 106 may include any number of 
provider network devices interconnected using one or 
more data link types such as, for example, IR, ATM, 
Frame Relay (FR), Time Division Multiplexing (TDM), 
Ethernet, Optical Ethernet, and the like. 
[0015] Connected to each RE router 102, 104 is one 
or more VRN segments, such as VRN segments 1 42-1 46 
connected to RE router 1 02 and VRN segments 1 52-1 56 
connected to RE router 104. Each VRN segment 
142-146, 152-156 may include one or more networked 
customer edge (CE) devices as well as devices to facil- 
itate network connectivity, such as hubs, routers, switch- 
es, bridges, and the like. As understood in the art, CE 
devices may include any of a variety of networked devic- 
es, such as personal computers, laptops, workstations, 
and the like. 

[0016] In general, each VRN segment connected to 
the RE router 102 is a member of the same VRN as a 
VRN segment connected to the RE Router 1 04, thereby 
allowing a VPN to be established between devices on 
the VRN segments. In the illustrated example, the VRN 
segments 1 42, 1 52 are members of VRN^, the VRN seg- 
ments 144, 154 are members of VRNg, and the VRN 
segments 146, 156 are members of VRNq. Although 
each VPN segment is illustrated in Figure 1 as a member 
of a single VRN, it will be appreciated that a VRN segment 
may be a member of a plurality of VPNs. Likewise, a CE 
device may be a member of a plurality of VPNs and there- 
fore may be a member of more than one VRN segment. 
[0017] To facilitate communications between VRN 
segments, each RE router 102, 104 may include a VRN 
interface corresponding to a VPN segment. To illustrate, 
the RE router 102 may include VPN interfaces 122-126 
to interface with VRN segments 142-146, respectively, 
and the RE router 104 may include VRN interfaces 
132-136 to interface with VPN segments 152-156, re- 
spectively. 

[001 8] Depending on the VPN technology utilized, the 
VRN interfaces 122-126, 132-136 may be implemented 
in any of a variety of ways. For example, if the PPVPN 
system 100 implements a Layer-3 VPN using Virtual 
Routing (VR), the VRN interfaces 1 22-1 26, 1 32-1 36 may 
include Virtual Routers implemented by the RE routers 
102, 104 to provide Virtual Routing between the CE de- 
vices on the VRN segments. Virtual Routing and Virtual 
Routers are well known to those skilled in the art. 
[0019] For example, if the PPVPN system 100 imple- 
ments a Layer-3 VPN using RFC2547bis, the VPN inter- 
faces 1 22-1 26, 132-136 may include Virtual Routing and 
Forwarding (VRF) implemented by the RE routers 102, 
1 04 to provide Virtual Routing and Forwarding tables be- 
tween the CE devices on the VRN segments. 
RFC2547bis and Virtual Routing and Forwarding are well 



known to those skilled in the art. 

[0020] Alternatively, if the PPVPN system 100 imple- 
ments a Layer-2 VPW in accordance with VPW (see, 
e.g., "L2VPN Framework," supra), the VPN interfaces 

5 122-126, 132-136 may include a Virtual Switching In- 
stance (VSI) implemented by the RE routers 1 02, 1 04 to 
provide Layer-2 attachment circuits between the CE de- 
vices on the VPN segments. Layer-2 VPNs and Virtual 
Switching Instances are well known to those skilled in 

10 the art. 

[0021] Further, in at least one embodiment, the RE 
router 1 02 may include an auto-discovery (AD) compo- 
nent 1 1 2 and a tunnel signalling component 1 1 6 and the 
RE route 104 may include an AD component 1 14 and a 

15 tunnel signalling component 1 18. As discussed in greater 
detail below, the tunnel signalling components 116, 118 
may be adapted to create, configure and/or maintain one 
or more VRN tunnels 170 between the RE routers 
102-104 using one or more tunnel signalling mecha- 

20 nisms. Exemplary tunnel signalling mechanisms imple- 
mented by the tunnel signalling components 116, 118 
may include, for example, RSVR, RSVP-TE, LDP, CR- 
LDR, and the like. 

[0022] A number of supplied parameters may be used 
25 by the tunnel signalling components 116, 1 1 8 to create, 
configure and/or maintain the one or more tunnels 170 
between the RE router 1 02 and the RE router 1 04. These 
parameters may include, for example: the type of tunnel- 
ling mechanism to be used (i.e., specifying RSVP-TE or 
30 CR-LDP); the QoS profile for each tunnel 170; the PE 
tunnel endpoints for a particular VRN membership; the 
VRN technology to use (e.g., Layer-3 technology v. Lay- 
er-2 technology, 2547bis v. Virtual Routing, etc.) ; and 
the like. For ease of discussion, this information is col- 
35 lectively referred to herein as VRN Capability Discovery 
Information (VCDI). 

[0023] In conventional PPVPN systems, this informa- 
tion typically is configured manually at each PE router 
for each VRN membership. In one embodiment, howev- 
er, the AD component 1 1 2 may be adapted to advertise 
this information to other PE routers on the backbone 1 06 
using an auto-discovery mechanism (described in great- 
er detail below). The AD component 112 then may pro- 
vide received VCDI information to the tunnel signalling 
45 component 1 16 for use in creating, maintaining, and/or 
configuring the one or more tunnels 1 70 associated with 
the VCDI information. 

[0024] The auto-discovery mechanism may be imple- 
mented in any of a variety of ways. In at least one em- 

50 bodiment, the auto-discovery mechanism may be imple- 
mented as an extension to conventional information dis- 
tribution protocols, such as BGR, DNS, and RADIUS. To 
illustrate using BGR, the VCDI information for each of 
VPN;^, VPNg, and VPNq, may be determined and trans- 

55 mitted to the RE routers 102, 104 as profiles 162-166, 
respectively, as part of a BGP UPDATE 160 transmitted 
over the backbone 106. Upon receipt of the BGR UP- 
DATE 160, the AD components 112, 114 (each BGP- 
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enabled in this case) then may extract the profiles 
1 62-1 66 and supply the VCDI information of the profiles 
162-166 to the tunnel signalling components 116, 118 
for use in creating, maintaining, and/or configuring the 
VPN tunnel(s) 1 70 associated with each VPN. DNS, RA- 
DIUS, and other directory service protocols may be ex- 
tended in a similar manner to distribute VCDI to the RE 
routers. Accordingly, rather than having to manually con- 
figure VRN tunnels at each RE router, the VRN tunnel 
configuration information (i.e., the VCDI) may be "piggy- 
backed" onto auto-discovery information by extending 
the auto-discovery protocol to include the transmission 
of the VCDI information. 

[0025] Referring now to Figure 2, an exemplary over- 
view of the VRN tunnel configuration process is illustrated 
in accordance with at least one embodiment of the 
present invention. In the illustrated example, the VRN 
tunnel configuration process 200 initiates at step 202, 
wherein the VCDI information for a given VRN may be 
determined. The VCDI information may include informa- 
tion regarding the configuration of one or more VRN tun- 
nels between RE routers for the VPN. For example, the 
VCDI information may specify the RE tunnel endpoints, 
community route targets, resource parameters (e.g., 
minimum bandwidth, maximum delay, committed burst 
size, committed rate, jitter, error, ownership, physical po- 
sition, type of transport medium, etc.), topology informa- 
tion, and other parameters utilized by the tunnel signal- 
ling mechanisms to establish and/or configure a VRN tun- 
nel. 

[0026] At step 204, the VCDI information obtained at 
step 202 may be advertised to some or all of the RE 
routers on the backbone. The advertisement of the VCDI 
information, in one embodiment, includes incorporating 
the VCDI information into a conventional information dis- 
tribution protocol. For example, the VCDI information 
could be incorporated as an extension of BGP and trans- 
mitted between RE routers using, for example, a BGR 
UPDATE transmission. Alternatively, the VCDI informa- 
tion could be formatted and transmitted in accordance 
with DNS or RADIUS. Multicast-based protocols also 
may be extended to multicast the VCDI information to 
some or all of the RE routers over the backbone. 
[0027] At step 206, upon receipt of the VCDI informa- 
tion, a RE router may begin negotiating the creation of a 
VPN (or per VRN) RE-RE tunnel based at least in part 
on the received VCDI information. As noted above, the 
creation and configuration of a VPN tunnel is well known 
in the art (see Hamid Ould-Brahim et al., "Using BGP as 
an Auto- Discovery Mechanism for Network- Based 
VPNs," August 2002, available at <http://www.ietf.org/ 
internet-drafts/draft-ietf-ppvpn-bgvpn-auto-03.txt> 
[0028] In creating and configuring the VRN tunnel from 
the VCDI information, anyof a variety of tunnelling mech- 
anisms may be used, as appropriate. Examples of such 
mechanisms include, for example, RSVF-TE, LDP, CR- 
LDR, and the like. After creating the VRN tunnel, CE de- 
vices on the various VRN segments them may utilize the 



VPN tunnel to transmit data securely between VPN seg- 
ments. 

[0029] Referring now to Figures 3-5, various exempla- 
ry implementations of the process 200 of Figure 2 for 

5 certain VPN technologies are illustrated in accordance 
with at least one embodiment of the present invention. 
Figure 3 illustrates an exemplary implementation of the 
process 200 for a VRN system implementing a Layer-3 
VPN using RFC 2547bis. Figure 4 illustrates an exem- 

^0 plary implementation of the process 200 for a VPN sys- 
tem implementing a Layer-3 VPN using Virtual Routing. 
Figure 5 illustrates an exemplary implementation of the 
process 200 for a VPN system implementing a Layer-2 
VPN using VRLS or VPW. While exemplary implemen- 

f5 tations of the process 200 are illustrated for a number of 
VPN technologies, those skilled in the art, using the 
guidelines provided herein, may modify the process 200 
for various other VRN technologies without departing 
from the spirit or the scope of the present invention. 

20 [0030] Referring now to Figure 3, an exemplary auto- 
discovery process 300 for distributing VRN tunnel con- 
figuration information in a Layer-3 RPVRN based on RFC 
2547bis is illustrated in accordance with at least one em- 
bodiment of the present invention. After determining the 

25 relevant VCDI information (step 202, Figure 2), the proc- 
ess 300 initiates at step 302, wherein the VCDI informa- 
tion associated with one or more VPN tunnels may be 
advertised to the AD components of the RE routers (e.g., 
AD components 112,114, Figure 1 ), as discussed above. 

30 As noted above, the VCDI information preferably is dis- 
tributed as an extension of an auto-discovery protocol, 
such as BGR, DNS, or RADIUS. At step 304, the tunnel 
signalling component (e.g., tunnel signalling components 
116, 118, Figure 1) at a RE router negotiates with the 

35 tunnelling mechanism at a corresponding RE router to 
establish and configure one or more VPN tunnels based 
at least in part on the supplied VCDI information. This 
configuration may include, for example, negotiating QoS 
forthe VPN tunnel, setting a minimum or maximum band- 

"^0 width for the VPN tunnel, specifying the tunnelling mech- 
anism, and the like. Alternatively, in one embodiment, 
the tunnel signalling component may select a pre-existing 
VRN tunnel that complies with some or all of the param- 
eters set forth by in the VCDI information. 

45 [0031] Uponcreationandconfigurationof the VPN tun- 
nel (or selection of a pre-existing tunnel), Virtual Routing 
Forwarding (VRF) tables may be generated at each RE 
router. The generation of VRF tables is well known in the 
art. At step 306, these VRF tables then may be exported 

50 to the backbone using, for example, BGP and then dis- 
tributed to the appropriate RE routers for use in routing 
VPN traffic through the established tunnel. 
[0032] Referring now to Figure 4, an exemplary auto- 
discovery process 400 for distributing VRN tunnel con- 

55 figuration information in a Layer-3 VRN based on Virtual 
Routing is illustrated in accordance with at least one em- 
bodiment of the present invention. After determining the 
relevant VCDI information (step 202, Figure 2), the proc- 
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ess 400 initiates at step 402, wlierein VPN IDs are as- 
sociated witli the endpoints of tine tunnel to be estab- 
lished/selected. At this point, it typically is not necessary 
to advertise the VR prefixes/addresses. At step 404, a 
listof the VPN IDs is included with otherVCDI information 
and this information may be advertised to the AD com- 
ponents of the RE routers (e.g., AD components 112, 
114, Figure 1), as discussed above. For Virtual Routing 
implementations, the VCDI information preferably is dis- 
tributed as an extension of a BGP Multiprotocol Exten- 
sion (BGP-MP). Other information distribution protocols, 
such as DNS, RADIUS, and IP multicasting may be uti- 
lized. At this point, it may be appropriate to advertise the 
VR prefixes/addresses. 

[0033] At step 406, the backbone Virtual Router re- 
ceiving the VCDI information may be adapted to establish 
and configure one or more VPN tunnels based at least 
in part on the supplied VCDI information. This configu- 
ration may include, for example, negotiating QoS for the 
VPN tunnel, setting a minimum or maximum bandwidth 
for the VPN tunnel, specifying the tunnelling mechanism, 
and the like. Alternatively, in one embodiment, the tunnel 
signalling component may select a pre-existing VPN tun- 
nel that complies with some or all of the parameters set 
forth by in the VCDI information. At step 408, the VPN 
topology information may be advertised in a manner sim- 
ilar to the advertisement of the VCDI information at step 
404. 

[0034] Referring now to Figure 5, an exemplary auto- 
discovery process 500 for distributing VPN tunnel con- 
figuration information in a Layer-2 PPVPN based on 
VPLS or VPW is illustrated in accordance with at least 
one embodiment of the present invention. After deter- 
mining the relevant VCDI information (step 202, Figure 
2), the process 500 initiates at step 502, wherein the VC- 
DI information associated with one or more VPN tunnels 
is advertised to the AD components of the PE routers 
(e.g., AD components 112, 114, Figure 1), as discussed 
above. At this point, it may be unnecessary to exchange 
Layer-2 VPN services. As noted above, the VCDI infor- 
mation preferably is distributed as an extension of an 
auto-discovery protocol, such as BGP, DNS, or RADIUS. 
[0035] At step 504, the tunnel signalling component 
(e.g., tunnel signalling components 116, 118, Figure 1) 
at a PE router negotiates with the tunnelling mechanism 
at a corresponding router to establish and configure one 
or more VPN tunnels based at least in parton the supplied 
VCDI information. This configuration may include, for ex- 
ample, negotiating QoS for the VPN tunnel, setting a min- 
imum or maximum bandwidth for the VPN tunnel, spec- 
ifying the tunnelling mechanism, and the like. Alterna- 
tively, in one embodiment, the tunnel signalling compo- 
nent may select a pre-existing VPN tunnel that complies 
with some or all of the parameters set forth by in the VCDI 
information. 

[0036] Upon creation and configuration of the VPN tun- 
nel (or selection of a pre-existing tunnel), Layer-2 VPN 
advertisements may be created at step 506 and distrib- 



uted using the backbone BGP component (e.g., AD com- 
ponents 1 1 2, 1 1 4) at step 508. 

[0037] At this point, it should be noted that implement- 
ing an auto-discovery VPN tunnel configuration process 

5 in accordance with the present invention as described 
above typically involves the processing of input data and 
the generation of output data to some extent. This input 
data processing and output data generation may be im- 
plemented in hardware or software. For example, specific 

10 electronic components may be employed in a node or 
similar or related circuitry for implementing an auto-dis- 
covery component and tunnel signalling component in 
accordance with the present invention as described 
above. Alternatively, one or more processors operating 

f5 in accordance with stored instructions may implement 
the functions associated with implementing an auto-dis- 
covery VPN tunnel configuration process in accordance 
with the present invention as described above. If such is 
the case, it is within the scope of the present invention 

20 that such instructions may be stored on one or more proc- 
essor readable media, or transmitted to one or more proc- 
essors via one or more signals. 

[0038] In summary, the invention provides a technique 
for resource distribution using an auto-discovery mech- 

25 anism for Provider- Provisioned Layer-2 and Layer-3 Vir- 
tual Private Networks. In one particular exemplary em- 
bodiment, the technique may be realized by a method 
for establishing a Virtual Private Network (VPN) tunnel 
between a first provider edge (PE) device and a second 

30 (PE) device of a provider-provisioned VPN. The method 
comprises advertising at least one tunnel-based param- 
eter to one or more PE devices over a network backbone 
using an auto-discovery mechanism, the one or more PE 
devices including at least one of the first and second PE 

35 devices. The method further comprises configuring a 
VPN tunnel between the first and second PE devices 
based at least in part on the at least one tunnel-based 
parameter. 

[0039] The present invention is not to be limited in 
^0 scope by the specific embodiments described herein. In- 
deed, various modifications of the present invention, in 
addition to those described herein, will be apparent to 
those of ordinary skill in the art from the foregoing de- 
scription and accompanying drawings. Thus, such mod- 
^5 ifications are intended to fall within the scope of the fol- 
lowing appended claims. Further, although the present 
invention has been described herein in the context of a 
particular implementation in a particular environment for 
a particular purpose, those of ordinary skill in the art will 
50 recognize that its usefulness is not limited thereto and 
that the present invention can be beneficially implement- 
ed in any number of environments for any number of 
purposes. 



Claims 

1. A method for establishing a Virtual Private Network 
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VPN tunnel (1 70) between a first provider edge PE 
device (1 02) and a second PE device (1 04) of a Pro- 
vider-Provisioned VPN PPVPN (100) comprising: 

advertising at least one tunnel-based parameter 
to one or more PE devices over a network back- 
bone (1 06) using an auto-discovery mechanism, 
the one or more PE devices including at least 
one of the first and second PE devices; and 
configuring a VPN tunnel between the first and 
second PE devices based at least in part on the 
at least one tunnel-based parameter. 

2. The method as in Claim 1 , wherein the auto-discov- 
ery mechanism includes one of: a Border Gateway 
Protocol BGP-based mechanism; a Domain Name 
Service DNS-based mechanism; and a Remote Au- 
thentication Dial In User Service RADIUS-based 
mechanism. 

3. The method as in Claim 2, wherein the at least one 
tunnel-based parameter is distributed to the one or 
more PE devices as an extension of an auto-discov- 
ery protocol. 

4. The method as in Claim 1, wherein configuring the 
VPN tunnel includes configuring the VPN tunnel us- 
ing at least one tunnel signalling mechanism. 

5. The method as in Claim 4, wherein the at least one 
tunnel signalling mechanism includes one of: a Re- 
source Reservation Protocol RSVP-based mecha- 
nism; a Resource Reservation Protocol-Traffic En- 
gineered RSVP-TE-based mechanism; a Label Dis- 
tribution Protocol LDP-based mechanism; and a 
Constraint-based Routing LDP CR-LDP based 
mechanism. 

6. The method as in Claim 1 , wherein the at least one 
tunnel parameter includes one of: a type of tunnelling 
mechanism; at least one PE tunnel endpoint; at least 
one community route target; topology information; 
and at least one resource parameter. 

7. The method as in Claim 6, wherein the at least one 
resource parameter includes one of: minimum band- 
width; maximum delay; committed burst size; com- 
mitted rate; jitter; error; ownership; physical position 
and transport medium. 

8. The method of Claim 1 , wherein configuring the VPN 
tunnel includes selecting a pre-existing VPN tunnel, 
the pre-existing VPN tunnel being compliant with the 
at least one tunnel parameter. 

9. A Provider- Provisioned Virtual Private Network 
PPVPN system comprising: 



auto-discovery means for distributing at least 
one Virtual Private Network VPN tunnel-based 
parameter to at least a first and second provider 
edge PE devices (102, 104); and 
5 tunnel signalling means for configuring a VPN 

tunnel (1 70) over a network backbone (1 06) be- 
tween the first and second PE devices based at 
least In part on the at least one tunnel-based 
parameter. 

10 

10. The system as in Claim 9, wherein the auto-discov- 
ery means Is adapted to distribute the at least one 
tunnel-based parameter as an extension of at least 
one auto-discovery protocol. 

15 

1 1 . The system as in Claim 1 0, wherein the auto-discov- 
ery protocol comprises one of: a Border Gateway 
Protocol BGP-based mechanism; a Domain Name 
Service DNS-based mechanism; and a Remote Au- 

20 thentlcation Dial In User Service RADIUS-based 
mechanism. 

12. The system as in Claim 9, wherein the tunnel signal- 
ling means includes one of: a Resource Reservation 

25 Protocol RSVP-based mechanism; a Resource Res- 
ervation Protocol-Traffic Engineered RSVP-TE- 
based mechanism; a Label Distribution Protocol 
LDP-based mechanism; and a Constraint-based 
Routing LDP CR-LDP based mechanism. 

30 

13. The system as in Claim 9, wherein the at least one 
tunnel parameter includes one of: a type of tunnelling 
mechanism; at least one PE tunnel endpoint; at least 
one community route target; topology information; 

35 and at least one resource parameter. 

14. The system as in Claim 13, wherein the at least one 
resource parameter includes one of: minimum band- 
width; maximum delay; committed burst size; com- 

"^0 mitted rate; jitter; error; ownership; physical position 
and transport medium. 

15. The system as in Claim 10 comprising: 

45 the network backbone; and 

the first and second PE devices each operably 
connected to the network backbone. 



50 Patentanspruche 

1. Verfahren zum Aufbau eines virtuellen privaten 
Netzwerk-, VPN-, Tunnels (1 70) zwischen einem er- 
sten DIensteanbieter-Rand-PE-Gerat (102) und ei- 
55 nem zwelten PE-Gerat (104) eines von einem 
DIensteanbleter bereltgestellten VPN, PPVPN, 
(100), mitden folgenden Schritten: 
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Ankundigen von zumindest einem Tunnel-bas- 
lerten Parameter an eines oder mehrere PE-Ge- 
rate uber einen Netzwerk-Backbone (1 06) unter 
Verwendung eines automatischen Erkennungs- 
mechanismus, wobei das eine oder die mehre- 
ren PE-Gerate zumindest eines der ersten und 
zweiten PE-Gerate einschlieBen; und 
Konfigurieren eines VPN-Tunnels zwisclien den 
ersten und zweiten PE-Geraten zumindest teil- 
weise auf der Grundlage des zumindest einen 
Tunnel-basierten Parameters. 

2. Verfahren nach Anspruch 1 , bei dem der automati- 
sche Erkennungsmechanismus einen von folgen- 
den IVIechanismen einsclnlieBt: einen Rand-Uberleit- 
einrichtungs-Protokoll-, BGP-, basierten IVIeclianis- 
mus; einen Domanen-Namensdienst-, DNS- basier- 
ten IVIeclianismus; und einen Fernautinentifizie- 
rungs-Elnwahl-Benutzerdlenst-, RADIUS-, basier- 
ten Mechanismus. 

3. Verfahren nach Anspruch 2, bei dem der zumindest 
eine Tunnel-basierte Parameter an das eine oder 
die mehreren PE-Gerate als eine Erweiterung eines 
automatischen Erkennungs-Protokolls verteilt wird. 

4. Verfahren nach Anspruch 1 , bei dem die Konfigura- 
tion des VPN-Tunnels das Konfigurieren des VPN- 
Tunnels unter Venwendung von zumindest einem 
Tunnel-Slgnalisierungsmechanismus einschlieBt. 

5. Verfahren nach Anspruch 4, bei dem der zumindest 
eine Tunnel-Signalisierungsmechanismus einen 
vonfolgenden Mechanismen einschlieBt: einen Res- 
sourcen-Reservierungs-Protokoll-, RSVP-, basier- 
ten Mechanismus; einen Ressourcen-Reservle- 
rungs-Protokoll-Verkehrsauslegungs-, RSVP-TE-, 
basierten Mechanismus; einen Etikettverteilungs- 
Protokoll-, LDP-, basierten Mechanismus; und einen 
Bedingungs-basierten Routenfuhrungs-, LDP-CR- 
LDP-, basierten Mechanismus. 

6. Verfahren nach Anspruch 1 , bei dem der zumindest 

eine Tunnel-Parameter einen von folgenden Para- 
metern einschlieBt: einen Typ des Tunnelungsme- 
chanismus; zumindest einen PE-Tunnel-Endpunkt; 
zumindest ein Gemeinschafts-Routen-Zlel; Topolo- 
gie-lnformation; und zumindest einen Ressourcen- 
Parameter, 

7. Verfahren nach Anspruch 6, bei dem zumindest eine 
Ressourcen-Parameter einen von folgenden Para- 
metern einschlieBt: minimale Bandbreite; maximale 
Verzogerung; vereinbarte Burst-GroBe; vereinbarte 
Rate; Jitter; Fehler; Inhaberschaft; physikalische Po- 
sition und Transportmedium. 

8. Verfahren nach Anspruch 1 , bei dem die Konfigura- 



tion des VPN-Tunnels die Auswahl eines bereits exi- 
stierenden VPN-Tunnels einschlieBt, wobei der be- 
reits existierende VPN-Tunnel zumindest einen Tun- 
nel-Parameter erfullt. 

5 

9. Von einem Diensteanbleter bereitgestelltes virtuel- 
les privates Netzwerk-, PPVPN-, System, mit: 

automatischen Erkennungseinrichtungen zur 
10 Verteilung von zumindest einem virtuellen pri- 

vaten Netzwerk-, VPN-, Tunnel-basierten Para- 
meter an zumindest ein erstes und ein zweites 
Diensteanbieter-Rand-PE-Gerat (1 02, 1 04); 
und 

15 Tunnel-Signalisierungseinrichtungen zum Kon- 

figurieren eines VPN-Tunnels (170) uber einen 
Netzwerk-Backbone (1 06) zwischen den ersten 
und zweiten PE-Geraten zumindest teilweise 
auf der Grundlage des zumindest einen Tunnel- 
20 basierten Parameters. 

10. System nach Anspruch 9, bei dem die automatische 
Erkennungseinrichtung so ausgebildet ist, dass sie 
den zumindest einen Tunnel-basierten Parameter 

25 als eine Erweiterung von zumindest einem automa- 
tischen Erkennungs-Protokoll verteilt. 

11. System nach Anspruch 10, bei dem das automati- 
sche Erkennungs-Protokoll eines derfolgenden Pro- 

30 tokolle umfasst: einen Rand-Uberleitungseinrich- 
tungs-Protokoll-, BGP-, basierten Mechanismus; ei- 
nen Domanen-Namensdienst-, DNS-, basierten Me- 
chanismus; und einen Fernauthentifizierungs-Ein- 
wahl-Benutzerdienst-, RADIUS- basierten Mecha- 

35 nismus. 

12. System nach Anspruch 9, bei dem die Tunnel-Si- 
gnalisierungseinrichtung einen von folgenden Me- 

chanismen einschlieBt: einen Ressourcen-Reser- 
40 vierungs-Protokoll-, RSVP-, basierten Mechanis- 
mus; einen Ressourcen-Reservierungs-Protokoll- 
Verkehrsauslegungs-, RSVP-TE-, basierten Mecha- 
nismus; einen Etikettverteilungs-Protokoll-, LDP-, 
basierten Mechanismus; und einen Bedingungs-ba- 
45 sierten Routenfuhrungs-, LDP-CR-LDP-, basierten 
Mechanismus. 

13. System nach Anspruch 9, bei dem der zumindest 
eine Parameter einen von folgenden Parametern 

50 einschlieBt: einen Typ des Tunnelungsmechanis- 
mus; zumindest einen PE-Tunnel-Endpunkt; zumin- 
dest ein Gemeinschafts-Routenziel; Topologie-ln- 
formation; und zumindest einen Ressourcen-Para- 
meter. 

55 

14. System nach Anspruch 13, bei dem der zumindest 

eine Ressourcen-Parameter einen von folgenden 
Parametern einschlieBt: minimale Bandbreite; ma- 
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base de contraintes CR-LDP. 

6. Procede selon la revendication 1 , dans lequel I'au 
moins un parametre de tunnel comprend I'un de : un 
5 type de mecanisme de tunnelage ; au moins un point 

d'extremite de tunnel PE; au moins une cible de rou- 
tage de communaute ; des informations de 
topologie ; et au moins un parametre de ressource. 

10 7. Procede selon la revendication 6, dans lequel I'au 
moins un parametre de ressource comprend I'un de : 
bande passante minimale; delai maximal ; taille de 

rafale engagee ; debit engage ; gigue ; erreur ; 
propriete ; position physique et support de transport. 

15 

8. Precede selon la revendication 1 , dans lequel la con- 
figuration du tunnel VPN comprend la selection d'un 

tunnel VPN preexistant, le tunnel VPN preexistant 
etant conforme a I'au moins un parametre de tunnel. 

20 

9. Systeme de reseau prive virtuel gere par fournisseur 
PPVPN comprenant : 



ximale Verzogerung; vereinbarte Burst-GroBe; ver- 
einbarte Rate; Jitter; Fehler; Inhaberschaft; physika- 
lische Position und Transportmedium, 

15. System nach Anspruch 10 mit: 

dem Netzwerk-Backbone; und 
den ersten und zweiten PE-Geraten, die jeweils 
betriebsmaBig mit dem Netzwerk-Backbone 
verbunden sind. 



Revendications 

1 . Procede pour etablir un tunnel de reseau prive virtuel 
VPN (1 70) entre un premier dispositif PE de bord de 
fournisseur (102) et un deuxieme dispositif PE d'un 
PPVPN VPN gere par fournisseur (1 00) comprenant 
les etapes consistant a : 

annoncer au moins un parametre base sur le 
tunnel a un ou plusieurs dispositifs PE sur un 
reseau federateur (1 06) en utilisant un mecanis- 
me de decouverte automatique, I'un ou les plu- 
sieurs dispositifs PE comprenant au moins I'un 
du premier dispositif PE et du deuxieme dispo- 
sitif PE ; et 

configurer un tunnel VPN entre le premier dis- 
positif PE et le deuxieme dispositif PE sur la ba- 
se au moins en partie de I'au moins un parame- 
tre base sur le tunnel. 

2. Procede selon la revendication 1 , dans lequel le me- 
canisme de decouverte automatique comprend I'un : 
d'un mecanisme base sur le protocole de passerelle 
de frontiere BGP ; d'un mecanisme base sur le ser- 
vice de nom de domaine DNS ; et d'un mecanisme 
base sur le service utilisateur de numerotation 
d'authentification a distance RADIUS. 

3. Procede selon la revendication 2, dans lequel I'au 
moins un parametre base sur le tunnel est distribue 
a I'un ou plusieurs dispositifs PE en tant qu'extension 
d'un protocole de decouverte automatique. 

4. Procede selon la revendication 1 , dans lequel la con- 
figuration du tunnel VPN comprend la configuration 
du tunnel VPN en utilisant au moins un mecanisme 
de signalisation de tunnel. 

5. Procede selon la revendication 4, dans lequel I'au 
moins un mecanisme de signalisation de tunnel com- 
prend I'un : d'un mecanisme base sur le protocole 
de reservation de ressource RSVP ; d'un mecanis- 
me base sur le protocole de reservation de ressource 
avec ingenierie de trafic RSVP-TE ; d'un mecanisme 
base sur le protocole de distribution de label LDP ; 
et d'un mecanisme base sur LDP avec routage a 



des moyens de decouverte automatique pour 
25 distribuer au moins un parametre base sur le 

tunnel de reseau prive virtuel VPN a au moins 
un premier et un deuxieme dispositifs PE de 
bord de fournisseur (102,104) ; et 
des moyens de signalisation de tunnel pour con- 
so figurer un tunnel VPN (1 70) sur un reseau fede- 
rateur (106) entre le premier dispositif PE et le 
deuxieme dispositif PE sur la base au moins en 
partie de I'au moins un parametre base sur le 
tunnel. 

35 

10. Systeme selon la revendication 9, dans lequel les 
moyens de decouverte automatique sont adaptes 
pour distribuer I'au moins un parametre base sur le 
tunnel en tant qu'extension d'au moins un protocole 

40 de decouverte automatique. 

11. Systeme selon la revendication 10, dans lequel le 
protocole de decouverte automatique comprend 

I'un : d'un mecanisme base sur le protocole de pas- 
45 serelle de frontiere BGP ; d'un mecanisme base sur 
le service de nom de domaine DNS ; et d'un meca- 
nisme base sur le service utilisateur de numerotation 
d'authentification a distance RADIUS. 

50 12. Systeme selon la revendication 9, dans lequel les 
moyens de signalisation du tunnel comprennent 
I'un : d'un mecanisme base sur le protocole de re- 
servation de ressource RSVP ; d'un mecanisme ba- 
se sur le protocole de reservation de ressource avec 

55 ingenierie de trafic RSVP-TE ; d'un mecanisme base 
sur le protocole de distribution de label LDP ; et d'un 
mecanisme base sur LDP avec routage a base de 
contraintes CR-LDP. 
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3. Systeme selon la revendication 9, dans lequel I'au 
moins un parametre de tunnel comprend I'un de : un 
type de mecanlsme de tunnelage ; au moins un point 
d'extremite de tunnel PE ; au moins une cible de 

routage de communaute ; des informations de 5 
topologie ; et au moins un parametre de ressource. 

4. Systeme selon la revendication 13, dans lequel I'au 
moins un parametre de ressource comprend I'un de : 
bands passante minimale ; delai maximal ; taille de 
rafale engagee ; debit engage ; gigue ; erreur ; 
propriete ; position physique et support de transport. 

5. Systeme selon la revendication 10 comprenant : 

15 

le reseau federateur ; et 
le premier et le deuxieme dispositifs PE chacun 
connecte de maniere utilisable au reseau fede- 
rateur. 
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